January 1, 2020 has passed and California’s Consumer Privacy Act (CCPA) is now in effect.
Similar to Europe’s GDPR, the law has numerous parts. It forces companies to reveal what data they collect, gives users the right to delete that data and prevent its sale, and restricts how data can be used for online ads.
The outcome has far reaching implications for most businesses with customers in California.
Good vs Bad
For consumer advocates, the law could meaningfully improve online privacy without losing what people like best about the internet. Furthermore, global organizations that are currently adhering to GDPR laws will likely notice minor changes to their practices.
Others, however, warn that the California law threatens technology companies (Google, Facebook, LinkedIn and their ad service revenue streams) and other businesses by disallowing what the industry calls ‘third-party behavioral profiling’. The result of which could have a big financial impact on businesses that use ad retargeting to sell more products.
The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them
- Know whether their personal data is sold or disclosed, and to whom
- Say no to the sale of personal data
- Access their personal data
- Request a business to delete any personal information about a consumer they’ve collected
- Not be discriminated against for exercising their privacy rights
Regardless of whether or not you are selling customer data, it’s important to understand how the CCPA impacts your business(es). The following is a simple guideline for helping you determine how you will be impacted and provides helpful tips for the preparation and becoming compliant with CCPA regulations.
1. How does CCPA impact your business?
Not every company is impacted by the new California Consumer Protection Act. The law applies to businesses that:
- Collect information on California residents and,
- Buy and receive, or sell personal information of 50,000 or more consumers, households or devices, or
- Generate 50% of their annual revenue from selling consumers’ personal information
- Generate gross annual revenue of $25 million or greater
- Are structured as for profit organizations
While many companies do not qualify under these categories, it is important to understand your corporate structure to ensure that your business is not subject to CCPA through proxy. For instance, if you are part of a larger organization or group that does require CCPA compliance, then your business most likely must also be compliant.
2. It takes a small village for CCPA compliance
Many SMBs and mid-market companies rely on IT/marketing teams to adhere to legal compliance. While data tracking and storage is typically a marketing or IT task, adhering to the CCPA is a legal compliance issue and must be treated as such. CCPA compliance requires a team of specialists, including attorneys, compliance officers, technical and marketing/data experts to ensure all legal compliance needs are met to protect your business.
This team should regularly review the compliance strategy and address potential implications. This is important because as your business grows, or your marketing becomes more sophisticated, you may begin falling into categories that require CCPA compliance.
3. Take an organized, steady approach
Culture shifts do not happen overnight. Rushing policy change will fail miserably and most likely frustrate team members. Your goal should be to take an organized, steady approach to change. At a minimum, you should consider:
- Gaining buy-in and support from leadership
- Assessing your personal data collection practices
- Developing a steady cadence for reviewing, enhancing and complying with CCPA regulations
- Educating and training your employees so they understand the impact and know what to expect in their roles
4. Document “reasonable security” practices
Your team should review information security processes against established data security standards such as National Institute of Standards and Technology, International Organization for Standardization, or CIS Critical Security Controls. Companies should ensure sufficient documentation of those controls are in place to demonstrate ‘reasonable security’ in the event of a data breach.
5. Revise your online privacy notice
Assess and revise your internal (non-customer-facing) and external privacy policies and procedures to align with CCPA compliance guidelines. The policies should be drafted with the specific needs and uses of the organization in mind to ensure that it is implementable, useful, and enforceable.
Once completed, update your website and employee privacy policies to include descriptions of the categories of information collected, third parties with whom data is shared, and rights available to individuals under CCPA.
6. Have a good understanding of data being collected
It is important to know the various types of personal information that you are collecting, the reasons for which you collect it, and the types of entities to whom you disclose it.
You should also consider your 'offline’ data. CCPA pushes data privacy disclosures into the offline realm, including onsite consumer interactions.
7. Establish an information request process
Businesses that fail to comply with verification requirements and release personal information to the harm of the consumer may face expensive litigation for those mistakes. It is important to establish a process for intake and consumer access and deletion requests to ensure that your organization is not caught off guard and slow to respond.
8. Train employees
CCPA places a strong emphasis on training of personnel who will be responsible for receiving and acting on consumer requests. Your employees need to understand their privacy program so they can help reduce risk for the business, from a people, process, and technical perspective.